By Alberto España.-The arrival in 2020 of a new edition of the PCI DSS standard, the PCI DSS 4.0, turns the experts’ eye on the state of fulfillment of all its requirements by organizations and companies.
Alberto Spain, Senior Vice President of GM Security Techologies.
The global evaluation demonstrates an increase in weaknesses in terms of the effectiveness of security software solutions and secure applications, as well as in the maintenance in the continuous evaluation of data protection processes.
According to the most recent report on security in means of payment of the firm Verizon, 2019 Payment Security Report, 15 years after the implementation of the Payment Card Industry Data Security Standard (PCI DSS), the number of companies that achieve and maintain the 100% compliance with these 12 requirements has been reduced from 52.5 percent recorded in 2018 to a minimum of 36.7 percent worldwide.
PCI DSS aims to manage the security of the systems and networks that process, store and / or transmit credit and debit card data. Its establishment is mandatory in all companies that incorporate credit card payments in their offline and online channels. It is made up of six categories that encompass 12 requirements or data protection processes that must be implemented in the management of business transactions of companies worldwide.
“The main weaknesses that are reported in the 2019 Payment Security Report concern the effectiveness of data protection technologies against vulnerabilities and attacks from abroad in critical business systems (Requirement 6 of the standard); as well as in the fulfillment of continuous programs of evaluation of the data management processes ”, highlights Alberto España, Senior Vice President of GM Security Techologies.
Regarding the more standardized regions with the PCI DSS protocols, organizations in Asia-Pacific (APAC) stand out at the highest level with 70% maintenance of standards, compared to 48% in Europe, the Middle East and Africa ( EMEA) and 20.4% of the countries of the Americas.
«At GM Security Technologies (GMST), we are convinced that the most effective way to improve the overall security posture in payment systems is to continue evangelizing the importance of PCI-DSS compliance and advising merchants,» he adds. Alberto Spain.
GMST has become the leading fraud prevention and security services company in the card payment industry in Latin America thanks to its recent acquisition of 1st Secure IT, an information cybersecurity firm based in the United States.
The requirements of the PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) consists of six categories, 12 requirements, about 200 controls and 250 test procedures in order to guarantee the confidentiality of payment card data.
Next, its 12 fundamental requirements are detailed:
Build and maintain a secure network:
1. Install and maintain a firewall configuration to protect data.
2. Do not use passwords or default values provided by the providers.
Protect cardholder data
3. Safeguard the personal information of the card owners.
4. Encrypt the transmission of data and confidential information of the owners through open public networks.
Establish a vulnerability management program
5. Update and activate the antivirus program on a regular basis.
6. Develop and maintain secure systems and applications.
Create strong access control measures
7. Limit access to information only to companies that need it.
8. Assign a unique identification to each person with access to the system.
9. Restrict physical access to data only to card owners.
Regularly monitor and test networks
10. Track and monitor access to the network resources and data of the holder.
11. Perform regular tests on security systems and processes.
Maintain an updated information security policy
12. Create a policy that contemplates and keeps updated the aspects related to information security.